Researchers from the University of Washington believe that smartphone ads purchased for the purpose of tracking a consumer's movements and app habits can be acquired for as little as $1,000.

Typically, ads are purchased to direct marketing efforts to specific consumers based on their browsing and purchasing histories and their social media habits. However, in the wrong hands, the ads can potentially be used to track and spy on the consumer.

"Anyone, from a foreign intelligence agent to a jealous spouse, can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual's behavior," said lead author Paul Vines, a recent doctoral graduate in the UW's Paul G. Allen School of Computer Science & Engineering.

Purchasing an ad lets the buyer deliver location-based ads to the target's phone. Additionally, the buyer may also be able to view what apps were used by the target, which could reflect private details about the target's life, including dating habits, health, religion political affiliation, etc.

"Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about," said co-author Franzi Roesner, co-director of the UW Security and Privacy Research Lab and an assistant professor in the Allen School. "We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them."

Tracking and monitoring can potentially be achieved once the user learns a target's mobile advertising ID (MAID). The MAID is a unique identifier that makes it possible for marketers to tailor advertisements to the user based on their interests. The MAID can also be accessed by eavesdropping on an unsecured wireless network or by gaining access to a user's WiFi router.

In their study, researchers showed that advertising service customers can purchase a number of hyperlocal ads, which can be served exclusively to that phone when its owner opens an app in a specific location. By setting up a grid of these location-based ads, the buyer can locate the target's moves if the app is opened and the target stays in the location long enough for an ad to be served (for roughly four minutes the team determined). Researchers were able to pinpoint the target's location within nearly 8 meters.

"To be very honest, I was shocked at how effective this was," said co-author Tadayoshi Kohno, an Allen School professor who has studied security vulnerabilities in products ranging from automobiles to medical devices. "We did this research to better understand the privacy risks with online advertising. There's a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there's also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies."

According to researchers, some possible solutions might include resetting MAIDs and disabling location tracking in individual app settings.